Trojan.JS.Injector.A
The presence of an obfuscated javascript in all the html pages that you visit through IE, Firefox or Opera.
The script is ussualy at the end of the html and contains a reference to the IP: „85.12.43.[removed]”. The presence of the script can be easly shown by searching the following string in the html file: „indexOf("85.12.43.[removed]") >= 0) return;”
The script is a javascript piece of code that gets injected in every html file viewed by the infected user. The presence of the script is usually accompanied by Trojan.Vundo.FKW or Trojan.Vundo.FCB although other versions can be also responsable. Vundo is responsible with the injection of the script in every html viewed. More on the behavior of Trojan.Vundo can be found here mentioning that this version that accompanies Trojan.JS.Injector.A doesn’t show pop-ups, but just inserts the script.
Trojan.JS.Injector.A scans the current html code and replaces the contents of the ad found with a random one from the IP mentioned above.
It also sends back to the malware server, information about the curent user, the domain visited and the link to the actual ad that had been replaced.
SHARE
THIS ON